Upload
nguyentuong
View
238
Download
6
Embed Size (px)
Citation preview
ORACLE AUDIT VAULTOVERVIEW AND ANALYTICS
–Albert Einstein
“Imagination is more important than knowledge. For knowledge is limited to all we now know and understand, while imagination embraces the entire world, and all there ever will be to know and understand.”
ABOUT THE PRESENTER
• 14 Years Oracle Experience 4 Years MSSQL
• Coauthor with Michael McLaughlin on PL/SQL
• Principal Database Engineer at the LDS Church
• Database Security Enthusiast
• Database Nut
PRESENTATION CAVEATS
• We will cover Oracle Audit Vault installation, not the Oracle Firewall product
• Our examples will be Oracle centric
• The presenter/partners are available if you need help, including more advanced design and installation.
PERFORMANCEDATA RETENTION AND HARDWARE CONSIDERATIONS
MINIMUM REQUIREMENTS AV ONLY
• 125 GB disk space
• 1 NIC
• Java SE6+
• Mozilla 14, IE 8, Chrome 21, Safari 5
• Adobe Flash
• AV agents must have access to the OAV server
REALISTIC REQUIREMENTS AV ONLY
• 128 GB Ram
• (4) Processors - 12 Cores
• (4) FusionIO 1.6TB IOScale Devices
• (16) 600 GB SaS Disks
• 1 NIC
• Hardware must exist on Oracle’s hardware compatibility list
ARCHITECTUREAUDIT VAULT AND FIREWALL OVERVIEW & REMEDIATION PROCESS
Agent Communication
AlertingAudit DB Objects User EntitlementPolicy
ManagementAudit Vault
AgentAudit Data Lifecycle
Oracle Audit Vault
SQL Anywhere
MYSQL Oracle MSSQL Sybase DB2 SQL Anywhere
SQL Anywhere
...
Windows AD/LDAP
ORACLE AUDIT VAULT FEATURES (ORACLE ONLY)
• Automatic data collection
• Dozens of built-in, customizable reports & policies
• Custom alerting
• Java agent deployable across Windows and *NIX
• Logs DB audit trials and OS system logs
ORACLE AUDIT VAULT SERVER
• Secured, tightly hardened OS
• Same kernel as Oracle Exadata
• Oracle DB 11.2.0.3
• Install and update are easy*
!
*Beware: any customizations to /etc/fstab or system files will be negated when updates are performed. If you customize any of the system settings, be sure to script those changes for repeatability.
INSTALLATION & UPGRADE PROCESS
DEPLOYING AGENTS ON LINUX SERVERS
• Java Executable
• Download via OAV portal
• Can be suspended by complex queries
• A CRON process monitor might be helpful
• XML audit is cheaper than FGA_LOG$ and AUD$
• Limiting size of audit trail tables is recommended
ORACLE AUDIT VAULT USERS
• Administrator(avadmin): super administrator for management of AV portal components
• Auditor(avauditor): super auditor for report, policy, and alerting components
• Support(support): Linux OS user for ssh access
• Root(root): Linux OS root account — no ssh access
ORACLE AUDIT VAULT PASSWORDS
• First character must be alphabetical
• Specials cannot be more than (,.+:_)
• Upper, lower, numeric, and special characters required
• 8-30 characters long
• Cannot be the same as the username, reserved word, simple word.
• No repeating characters
POST-INSTALL TASKS: PASSWORDS
SETTING AV TIME & DNS
SETTING AV MAIL
AlertingAudit DB Objects User EntitlementPolicy
ManagementAudit Vault
AgentAudit Data Lifecycle
Oracle Audit Vault ...
Admin OPS Audit
HR/ Legal
APEX{
Admin
HR/LEGAL
OPS
AVAlert
Generated
CheckFinding to
Confirm Finding
ReportFinding to
Security OPS
ReportInvestigation
Analysis
FalsePositiveFound
ProvideGuideancewith Initial
Risk Assessment
InformData Steward
of Finding
CompleteDisciplinary
Forms/Evidence
PursueHR/Legal
Action
Complete RiskAssessment
Provide Short/Long Term Solutions
Imple-ment
Change
QUERYING THE EVENT LOGLIVE DEMONSTRATION
Thank You